100 billion emails are sent every day! Take a look at your own inbox - you probably have a couple retail offers, maybe an update from your bank, or one from your friend finally sending you the pictures from vacation. Or at least, you think those emails actually came from those online stores, your bank, and your friend, but how can you know they're legitimate and not actually a phishing scam?
What Is Phishing?
Phishing is a large scale attack where a hacker will forge an email so it looks like it comes from a legitimate company (e.g. a bank), usually with the intention of tricking the unsuspecting recipient into downloading malware or entering confidential information into a phished website (a website pretending to be legitimate which in fact a fake website used to scam people into giving up their data), where it will be accessible to the hacker. Phishing attacks can be sent to a large number of email recipients in the hope that even a small number of responses will lead to a successful attack.
What Is Spear Phishing?
Spear phishing is a type of phishing and generally involves a dedicated attack against an individual or an organization. The spear is referring to a spear hunting style of attack. Often with spear phishing, an attacker will impersonate an individual or department from the organization. For example, you may receive an email that appears to be from your IT department saying you need to re-enter your credentials on a certain site, or one from HR with a “new benefits package” attached.
Why Is Phishing Such a Threat?
Phishing poses such a threat because it can be very difficult to identify these types of messages – some studies have found as many as 94% of employees can’t tell the difference between real and phishing emails. Because of this, as many as 11% of people click on the attachments in these emails, which usually contain malware. Just in case you think this might not be that big of a deal – a recent study from Intel found that a whopping 95% of attacks on enterprise networks are the result of successful spear phishing. Clearly spear phishing is not a threat to be taken lightly.
It’s difficult for recipients to tell the difference between real and fake emails. While sometimes there are obvious clues like misspellings and .exe file attachments, other instances can be more hidden. For example, having a word file attachment which executes a macro once opened is impossible to spot but just as fatal.
Even the Experts Fall for Phishing
In a study by Kapost it was found that 96% of executives worldwide failed to tell the difference between a real and a phishing email 100% of the time. What I am trying to say here is that even security conscious people can still be at risk. But chances are higher if there isn’t any education so let’s start with how easy it is to fake an email.
See How Easy it is To Create a Fake Email
In this demo I will show you how simple it is to create a fake email using an SMTP tool I can download on the Internet very simply. I can create a domain and users from the server or directly from my own Outlook account. I have created myself a firstname.lastname@example.org and email@example.com just to show you what is possible.
I can start sending emails with these addresses immediately from Outlook. Here’s a fake email I sent from firstname.lastname@example.org.
If you would like to see this process in person click here.
This shows how easy it is for a hacker to create an email address and send you a fake email where they can steal personal information from you. The truth is that you can impersonate anyone and anyone can impersonate you without difficulty. And this truth is scary but there are solutions, including Digital Certificates
What is a Digital Certificate?
A Digital Certificate is like a virtual passport. It tells a user that you are who you say you are. Just like passports are issued by governments, Digital Certificates are issued by Certificate Authorities (CAs). In the same way a government would check your identity before issuing a passport, a CA will have a process called vetting which determines you are the person you say you are.
There are multiple levels of vetting. At the simplest form we just check that the email is owned by the applicant. On the second level, we check identity (like passports etc.) to ensure they are the person they say they are. Higher vetting levels involve also verifying the individual’s company and physical location.
Digital certificate allows you to both digitally sign and encrypt an email. For the purposes of this post, I will focus on what digitally signing an email means. (Stay tuned for a future post on email encryption!)
Using Digital Signatures in Email
Digitally signing an email shows a recipient that the email they have received is coming from a legitimate source.
In the image above, you can see the sender’s verified identity clearly presented within the email. It’s easy to see how this helps us to catch fakers from real senders and avoid falling victim to phishing
In addition to proving the source of the email, digitally signing an email also provides:
Non-repudiation: since an individual’s personal certificate was used to sign the email, they cannot later claim that it wasn’t them who signed it
Message integrity: when the recipient opens the email, their email client checks that the contents of the email match what was in there when the signature was applied. Even the slightest change to the original document would cause this check to fail.
For more information on how to digitally sign an email and what a valid or invalid S/MIME Digital Certificate looks like, please watch my webinar on Email Security Using Digital Signatures and Encryption.